Images

Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
  • G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

• Computer systems and related technology affect many aspects of society. Indeed, the computer system's ability to process information has transformed the way we live and work. Computer systems now commonly perform a host of tasks (e.g., word processing, scheduling, accounting, etc.) that prior to the advent of the computer system were performed manually. More recently, computer systems have been coupled to one another and to other electronic devices to form both wired and wireless computer networks over which the computer systems and other electronic devices can transfer electronic data. Accordingly, the performance of many computing tasks are distributed across a number of different computer systems and/or a number of different computing environments.
• tasks e.g., word processing, scheduling, accounting, etc.
• a passport can be used at immigration desk to establish identity as a citizen of a particular country.
• a driver's license can be used during a traffic stop to establish identity as a licensed driver.
• a passport typically can not be used to establish identity as a licensed driver and a driver's license typically can not be used to establish citizenship.
• Digital identities are often authenticated by submitting a user ID and password. If the password matches that assigned to the user ID, a submitting entity is authenticated. Based on the authentication, the submitting entity may be permitted to perform any operations (access content, edit files, mange a server, etc.) that are authorized for the user ID.
• Authorized operations can be assigned on a per context basis, such as, for example, per organization, etc. That is, for each organization a user can be assigned a user ID and password and can be authorized to perform various operations.
• ACL Access Control Lists
• an ACL is a list of permissions attached to an object, such as, for example, a file. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.
• each entry in the list specifies a subject and an operation: for example, the entry (User1, delete) on the ACL for file XYZ gives User1 permission to delete file XYZ.
• Typical ACL-based systems assign permissions to individual users, which can become cumbersome in a system with a large number of users.
• RBAC role-based access control
• permissions are assigned to roles, and roles are assigned to users.
• either approach still requires the maintenance of ACLs and a checking infrastructure to verify permissions within ACLs.
• resources are accessible via a number of different mechanisms, such as, for example, via different types of applications and/or sessions/connections.
• Protecting resources using a security model based on ACLs each different mechanism used to access a resource would typically be required to implement the security model.
• data in a database can be protected using a security model based on ACLs.
• the database may be accessible from a variety of tools, such as, for example, a reporting service, a spreadsheet application, etc. Each of these tools must implement the security model of the database, for example, protocols, credential formats, etc., (essentially flawlessly) to authenticate with the database and obtain access to data in the database.
• resource access can include efforts to configure applications to match security models of various different resource providers.
• different organizations control applications and resource providers making coordination of these efforts difficult.
• these efforts are essentially unmanageable.
• the present invention extends to methods, systems, and computer program products for securing resource stores with claims based security.
• a resource store receives policy information for the resource store.
• the resource store derives permissions for accessing secured resources in the resource store from the received policy information.
• the permissions define secured operations that can be performed on secured resources in the resource store based on received identity information.
• the permissions are derived from various policies.
• the policies can include a secured operations table defining the secured operations that are possible for the resource store.
• the policies can also include a secured resources table defining the secured resources within the resource store.
• Each secured resource is a specified resource type, from among a plurality of different resource types.
• Each of the plurality of different resource types is defined in a secured resource types table.
• the resource store receives identity information for a session connected to the resource store.
• the identity information is accumulated from one or more claims submitted to the resource store on behalf of the session.
• the resource store determines the resource types that the session can access based on the derived permissions and the received identity information.
• the resource store accesses a metadata table that maps secured resource identifiers to corresponding resource types.
• the resource store filters the metadata table into a subset of metadata that includes resource identifiers for secured resources of the resource types the session can access.
• a session is provided access to a secure resource in the resource store.
• the resource store receives a request over a session connected to the resource store.
• the request is to perform an operation on secured resources of a specified resource type contained in the resource store.
• the resource store refers to a claims list for the session.
• the claims list including claims for the session accumulated from one or more previously received security tokens. Each claim asserts identify information for the session.
• the resource store refers to a security table at the resources store.
• the security table contains permissions for accessing secured resources contained in the resource store.
• the permissions define secured operations that are authorized for secured resources contained in the resource store based on received identity information.
• the resource store determines from the permissions that the connection is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list.
• the resource store performs the requested operation for any secured resources of the specified type contained in the resource store.
• FIG. 1A illustrates an example computer architecture that facilitates securing resource stores with claims-based security
• FIG. 1B illustrates an example data flow within the example computer architecture of FIG. 1A for securing resources of a resource store.
• FIG. 1C illustrates other components of the example computer architecture of FIG. 1A .
• FIG. 1D illustrates example base-tables for storing claim-based security information.
• FIG. 2 illustrates a flow chart of an example method for securing a resource store.
• FIG. 3 illustrates a flow chart of an example method for providing secure access to resources in a resource store.
• the present invention extends to methods, systems, and computer program products for securing resource stores with claims based security.
• a resource store receives policy information for the resource store.
• the resource store derives permissions for accessing secured resources in the resource store from the received policy information.
• the permissions define secured operations that can be performed on secured resources in the resource store based on received identity information.
• the policies can include a secured operations table defining the secured operations that are possible for the resource store.
• the policies can also include a secured resources table defining the secured resources within the resource store.
• Each secured resource is a specified resource type, from among a plurality of different resource types.
• Each of the plurality of different resource types is defined in a secured resource types table.
• the resource store receives identity information for a session connected to the resource store.
• the identity information is accumulated from one or more claims submitted to the resource store on behalf of the session.
• the resource store determines the resource types that the session can access based on the derived permissions and the received identity information.
• the resource store accesses a metadata table that maps secured resource identifiers to corresponding resource types.
• the resource store filters the metadata table into a subset of metadata that includes resource identifiers for secured resources of the resource types the session can access.
• a session is provided access to a secure resource in the resource store.
• the resource store receives a request over a session connected to the resource store.
• the request is to perform an operation on secured resources of a specified resource type contained in the resource store.
• the resource store refers to a claims list for the session.
• the claims list including claims for the session accumulated from one or more previously received security tokens. Each claim asserts identify information for the session.
• the resource store refers to a security table at the resources store.
• the security table contains permissions for accessing secured resources contained in the resource store.
• the permissions define secured operations that are authorized for secured resources contained in the resource store based on received identity information.
• the resource store determines from the permissions that the connection is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list.
• the resource store performs the requested operation for any secured resources of the specified type contained in the resource store.
• Embodiments of the present invention may comprise or utilize a special purpose or general-purpose computer including computer hardware, as discussed in greater detail below.
• Embodiments within the scope of the present invention also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures.
• Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer system.
• Computer-readable media that store computer-executable instructions are physical storage media.
• Computer-readable media that carry computer-executable instructions are transmission media.
• embodiments of the invention can comprise at least two distinctly different kinds of computer-readable media: physical storage media and transmission media.
• Physical storage media includes RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer.
• a “network” is defined as one or more data links that enable the transport of electronic data between computer systems and/or modules and/or other electronic devices.
• a network or another communications connection can include a network and/or data links which can be used to carry or desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. Combinations of the above should also be included within the scope of computer-readable media.
• program code means in the form of computer-executable instructions or data structures can be transferred automatically from transmission media to physical storage media (or vice versa).
• program code means in the form of computer-executable instructions or data structures received over a network or data link can be buffered in RAM within a network interface module (e.g., a “NIC”), and then eventually transferred to computer system RAM and/or to less volatile physical storage media at a computer system.
• a network interface module e.g., a “NIC”
• NIC network interface module
• physical storage media can be included in computer system components that also (or even primarily) utilize transmission media.
• Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions.
• the computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, or even source code.
• the invention may be practiced in network computing environments with many types of computer system configurations, including, personal computers, desktop computers, laptop computers, message processors, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile telephones, PDAs, pagers, routers, switches, and the like.
• the invention may also be practiced in distributed system environments where local and remote computer systems, which are linked (either by hardwired data links, wireless data links, or by a combination of hardwired and wireless data links) through a network, both perform tasks.
• program modules may be located in both local and remote memory storage devices.
• FIG. 1A illustrates an example computer architecture 100 that facilitates securing resource stores using claims-based security.
• computer architecture 100 includes client module 102 , identity store 106 , policy store 107 , and repository 101 .
• client module 102 client module 102
• identity store 106 identity store 106
• policy store 107 policy store 107
• repository 101 repository 101
• Each of the depicted components can be connected to one another over (or be part of) a network, such as, for example, a Local Area Network (“LAN”), a Wide Area Network (“WAN”), and even the Internet.
• LAN Local Area Network
• WAN Wide Area Network
• each of the depicted components as well as any other connected components can create message related data and exchange message related data (e.g., Internet Protocol (“IP”) datagrams and other higher layer protocols that utilize IP datagrams, such as, Transmission Control Protocol (“TCP”), Hypertext Transfer Protocol (“HTTP”), Simple Mail Transfer Protocol (“SMTP”), etc.) over the network.
• IP Internet Protocol
• TCP Transmission Control Protocol
• HTTP Hypertext Transfer Protocol
• SMTP Simple Mail Transfer Protocol
• client module 102 (e.g., an operating system client) includes one or more applications, such as, for example, application 103 A, application 103 B, etc. From time to time, each of the one or more applications can request access to secured resources at repository 101 (e.g., a SQL database). Client module 102 can be configured to establish a session to repository 101 for use by any of the one or more applications. Client 102 is also configured to request and receive claims from identity providers. Upon obtaining claims for an identity provider, client module 102 can submit claims to relying party, such as, for example, repository 101 .
• relying party such as, for example, repository 101 .
• Identity store 106 (e.g., active directory (“AD”)) is configured to provide identity information to a client module.
• identify store 106 can provide an identity token to a requesting client module.
• the identity token can include one or more claims with respect to the identity of the client module.
• Policy store 107 is also configured to provide identity information to a client module.
• policy store 107 can provide a token to a requesting client module.
• the token can include one or more claims with respect to the identity of the client module.
• identity store 106 and policy store 107 both include identity provider functionality.
• Policy store 107 can also be configured to submit policy information to repository 101 .
• Submitted policy information can include relevant policy information for repository 101 , for example, that administrators have set up for repository 101 using policy administration tools.
• Repository 101 is configured to receive policy information and derive permissions for securing resources from the received policy information. Alternately, administrators can use stored procedures and updatable views to set permissions for accessing secure resources at repository 101 .
• Repository 101 can store permissions, whether they are derived or set through procedures and updatable views, in security table 112 .
• Security processing module 104 can receive claims and accumulate claims for a client module in a claims list. Received claims can correspond to a specified application at a client module or generally to a session or connection between the client module and repository 101 . When claims correspond to a session or connection, security processing module can apply the claims to any application that utilizes the session or connection.
• Metadata table 111 includes metadata 114 that maps resource identifiers to various metadata.
• the resource identifiers can identify secured resources in a storage location at repository 101 (or that repository 101 controls access to).
• Metadata 114 is used in claims-based security processing to determine if an operation request is authorized for a secured resource.
• Policy store 107 can send policy 108 to repository 101 . From policy 108 , repository 101 can derive permissions 113 . Repository 101 can then store permissions 113 in security table 112 .
• an application at client module 102 may desire to perform an operation on a secured resource of repository 101 .
• Client module 102 can send ID token request 121 to identity store 106 .
• ID token request 121 can include appropriate credentials such that identity store 106 can authenticate client module 102 as the sender of ID token request 121 .
• Identity store 106 can return ID token 122 to client module 102 in response to receiving token request 121 .
• ID token 122 can include some claims with respect to the (e.g., basic) identity of client module 102 , such as, for example, an operating system identity and group memberships. More specifically, claim 124 identifies client 102 as a member of the domain “org.com”
• Client module 102 can submit logon 123 , including ID token 122 , to repository 101 .
• Security processing module 104 can receive logon 123 and extract claim 124 from ID token 122 .
• Security processing module 104 can then exchange further data with client module 102 to establish session 109 between client module 102 and repository 101 .
• Security processing module 104 then establishes claims list 143 for session 143 and inserts claim 124 into claims list 143 .
• Client module 102 can also request other claims from other identity providers.
• the application at client module 102 can submit claims request 126 to policy store 107 .
• Claims request 126 can include appropriate credentials such that policy store can authenticate client module 102 as the sender of claims request 126 .
• Policy store 107 can return token 127 to client module 102 in response to receiving claims request 126 .
• Token 127 can include additional claims with respect to the identity of client module 102 , such as, for example, further domain or group memberships. More specifically, claim 128 identifies client 102 as a member of the group “Division A” and claim 129 identifies client 102 as a member of Corporation “Corp 1”.
• client module 102 can request a nonce from repository 101 .
• client module 102 can submit nonce request 131 to repository 101 .
• Security processing module can receive nonce request 131 .
• security processing module 104 can return nonce 132 to client module 102 .
• Nonce 132 is used to minimize the possibility of replay attacks when passing claims.
• Client module 102 can then combine nonce 132 and claims 128 and 129 into claims 133 .
• Client module 102 can then send claims 133 to repository 101 .
• Claims 133 can be signed and the signing key can be passed in a (e.g., SAML) token to repository 101 .
• Security processing module 104 verifies the token and adds claims 128 and 129 to claims list 143
• FIG. 1B illustrates an example data flow 150 within the example computer architecture of FIG. 1A for securing resources of a resource store.
• FIG. 2 illustrates a flow chart of an example method 200 for securing a resource store. The method 200 will be described with respect to the data in data flow 150 as well as other components and data of computer architecture 100 .
• Method 200 includes an act of receiving policy information for a resource store (act 201 ).
• repository 101 can receive policy 108 .
• secured resource types 181 , secured resources 182 , and secured operations 191 can each represent a portion of policy 108 .
• Secured resource types 181 indicates the types of resources, such as, for example, type 181 containers and type 182 container versions, that are that are to be secured at repository 101 .
• Secured resources 182 indicates specific instances of secured resource types that are to be protected at repository 101 .
• resource 182 A represents that repository 101 is to secure containers for a programming framework.
• resource 182 D represents that repository 101 is to secure containers for Corp 1.
• Resource 182 B represents that repository 101 is to secure version 1.0 of the programming framework.
• resource 182 C represents that repository 101 is to secure version 2.0 of the programming framework.
• Secured operations 191 indicate secured operations that can be used at repository 101 .
• Operation 191 A indicates that secured resources at repository 101 can be read.
• Operation 191 B indicates that secured resources are repository 101 can be updated.
• Method 200 includes an act of deriving permissions for accessing secured resources in the resource store from the received policy information (act 202 ).
• permissions 113 can be derived from policy 108 .
• the permissions define secured operations that can be performed on secured resources in the resource store based on received identity information.
• permissions 113 define read and update operations authorized for secured resources of repository 101 based on received identity information.
• the permissions are derived from a secured operations table defining the secured operations that are possible for the resource store.
• the permissions are also derived from a secured resources table defining the secured resources within the resource store.
• Each secured resource is a specified resource type, from among a plurality of different resource types.
• the permissions are derived from each of the plurality of different resource types defined in a secured resource types table.
• permissions 113 can be derived from secured resource types 181 , secured resources 182 , and secured operations 191 .
• Method 200 includes an act of receiving identity information for a session connected to the resource store (act 203 ).
• repository 101 can receive identity information for session 109 .
• the identity information is accumulated from one or more claims submitted to the resource store on behalf of the session.
• claims list 143 includes claims accumulated from ID token 122 and token 127 .
• Method 200 includes an act of determining the resource types that the session can access based on the derived permissions and the received identity information (act 204 ).
• repository 101 can determine resource types that session 109 can access based on permissions 113 and claims list 143 .
• Readable containers 186 represents the containers that session 109 is authorized to read. For example, session 109 is authorized to read resources in Framework 2.0 ( 182 C) and resources in Corp. 1 ( 182 D).
• Readable container versions 188 represents versions of containers that session 109 is authorized to read. For example, session 109 is authorized to read resources in Framework 2.0 ( 182 C). However, session 109 is not authorized to read resources in Framework 1.0 ( 182 B).
• Updatable resources 187 represents the resources that session 109 is authorized to update. Based on claims list 143 and permissions 113 , session 109 is not authorized to update any resources. When appropriate, updateable contain versions (similar to readable container versions 188 ) may also result.
• Method 200 includes an act accessing a metadata table that maps secured resource identifiers to corresponding resource types (act 205 ).
• repository 101 can access metadata table 111 .
• Metadata table 111 maps resource identifies to corresponding containers and container versions.
• Method 200 includes an act of filtering metadata table into a subset of metadata that includes resource identifiers for secured resources of the resource types the session can access (act 206 ).
• repository 101 can filter metadata table 111 into resources 189 (metadata 114 C, 114 D, and 114 E).
• Resources 189 includes resource IDs for resources (e.g., assemblies) in the containers and container versions session 109 can access.
• base tables are used for storing claims-based security information.
• FIG. 1D illustrates example base-tables for storing claim-based security information. Many of the tables in FIG. 1D correspond to and define the format of data in data flow 150 .
• SecuredOperationsTable 177 defines the format secured operations 191 .
• SecuredResourceTypesTable 176 defines the formation for secured resource types 181 .
• SecuredResourceTable 174 defines the format for secured resources 182 .
• SecuredResourcePermissonsTable 172 defines the format for security table 112 .
• PrincipalSecurtyClaimsTable 171 defines the format for claims list 143 .
• the principal, in PrincipalSecurtyClaimsTable 171 can correspond to a SQL server login SID (i.e., suser_sid( ). Ordinary repository users can be prevented from accessing these tables.
• SecurityClaimsTypeTable 175 defines the types of claims, such as, for example, an operating system specific, that can be processed.
• SecurityClaimsTable 173 defines a claim format for claims included in a token.
• base tables for storing security information can include a normalized structure. For example, security claims can be factored into their own table.
• adding or removing a container or a container version also adds or removes the corresponding secured resource entries (e.g., in security table 112 ) via associated triggers and referential actions.
• column level permissions may also be associated with database roles
• database roles are a flexible way to control the permissions sets of a group of users.
• a set of helper functions can abstract the tasks of finding and changing permissions sets.
• Inline table valued functions can be used to provide high performance, highly parallelizable implementations of routines tat return permission sets for individual principals.
• table valued function based implementations provide for future security model extensions by abstracting away the underlying security implementation.
• client module 102 can submit operation request 141 to repository 101 .
• Security processing module 104 can receive operation request 141 .
• Operation request can be a request to read or update resources of repository 101 .
• FIG. 1C illustrates other components of repository 101 .
• security processing module 104 includes authorization module 161 .
• authorization module 161 can access an operation request from a principal, access a claims list for the principal, access a set of permissions, and access metadata. From the accessed information, authorization module 161 returns an ID for any resource the principal is authorized to perform the operation on.
• the list of IDs can be passed to data access module 162 .
• Data access module 162 matches each ID to an identified resource.
• Data access module 162 then performs the requested operation each identified resource.
• Data access module 162 can pass the results of the operation (which can include identified resources, for example, for a read operation) to the requesting principal. For example, data access module can return result 142 to client module 102 .
• FIG. 3 illustrates a flow chart of an example method 300 for providing secure access to resources in a resource store. Method 300 will be described with respect to the components and data in FIGS. 1A and 1C .
• Method 300 includes an act of receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store (act 301 ).
• security processing module 104 can receive operation request 141 over session 109 .
• Operation request 141 is a request to perform operation 151 Read Framework 2.0 (e.g., stored in storage 163 ).
• Operation 151 can be forwarded on to authorization module 161 (along with context information identifying session 109 ).
• Method 300 includes an act of referring to a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session (act 302 ).
• authorization module 161 can refer to claims list 143 for session 109 .
• Method 300 includes an act of referring to a security table at the resource store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information (act 303 ).
• authorization module 161 can refer to security table 112 .
• Method 300 includes an act of determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list (act 304 ).
• authorization module 161 can determine form permissions 113 that session 109 is authorized to read resources of container Framework version 2.0.
• Method 300 includes an act of performing the requested operation for any secured resources of the specified type contained in the resource store (act 305 ).
• Authorization module 161 can pass authorized data access 192 to data access module 162 .

Abstract

Description

Claims (15)

Priority Applications (1)

Applications Claiming Priority (2)

Related Parent Applications (1)

Publications (2)

Family

ID=41258029

Family Applications (2)

Family Applications Before (1)

Country Status (1)

Families Citing this family (11)

Citations (79)

Family Cites Families (1)

• 2008
  • 2008-04-30 US US12/112,773 patent/US8095963B2/en active Active
• 2011
  • 2011-11-02 US US13/287,421 patent/US8453217B2/en active Active

Patent Citations (80)

Non-Patent Citations (47)

Also Published As

Similar Documents

Legal Events